CN109429222B - Method for encrypting wireless network equipment upgrading program and communication data - Google Patents

Method for encrypting wireless network equipment upgrading program and communication data Download PDF

Info

Publication number
CN109429222B
CN109429222B CN201710732946.0A CN201710732946A CN109429222B CN 109429222 B CN109429222 B CN 109429222B CN 201710732946 A CN201710732946 A CN 201710732946A CN 109429222 B CN109429222 B CN 109429222B
Authority
CN
China
Prior art keywords
data
encryption
upgrading
key
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710732946.0A
Other languages
Chinese (zh)
Other versions
CN109429222A (en
Inventor
齐芸芸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ye Yirong
Original Assignee
Ye Yirong
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ye Yirong filed Critical Ye Yirong
Priority to CN201710732946.0A priority Critical patent/CN109429222B/en
Publication of CN109429222A publication Critical patent/CN109429222A/en
Application granted granted Critical
Publication of CN109429222B publication Critical patent/CN109429222B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a method for encrypting an upgrading program and communication data of wireless network equipment. The encryption of the embedded upgrading program is realized through simple grouping, exclusive-or, shifting, interpolation processing and SHA256 Hash algorithm, and the encryption of the upgrading program data block with high reliability is realized through the encryption digest algorithm. A plurality of random numbers are used during grouping, exclusive-or, shifting and interpolation processing in the program data encryption process each time, the random numbers and other key data form an encryption summary, the upgraded program ciphertext can be decrypted through the encryption summary, and the encryption ciphertext and the encryption summary generated by encrypting the same program data on different encryption processing devices at different moments are different. The invention occupies less code space of the CPU processor of the wireless network equipment, has lower requirement on the operation speed of the processor, can adopt a very low-cost processor to realize the encryption of the upgrading program and the communication data, and ensures the safety of equipment communication and the integrity of the data.

Description

Method for encrypting wireless network equipment upgrading program and communication data
Technical Field
The invention relates to the technical field of data encryption, in particular to the field of Internet of things, wireless sensor networks and embedded systems, and particularly relates to a method for encrypting an upgrade program and communication data of wireless network equipment.
Background
In the internet of things, wireless sensor networks and embedded systems, each device is embedded with an embedded CPU processor for executing an embedded program written by designers for realizing automation and intellectualization of the device and the system, however, the problems of abnormal device operation, newly added functions of the device and the like caused by program code errors are inevitable in the process of writing the embedded program, and in order to conveniently solve the problems, designers usually design an online upgrading mechanism for facilitating upgrading and updating of the program, but almost all the online upgrades at present adopt plain texts for transmitting, storing and upgrading binary programs, are very easy to obtain and direct engineering by third parties, so that the product designers spend a large amount of manpower, material resources and time to develop products, and are maliciously copied by the third parties just after the time of the market, causing a huge loss to the product designer.
In the fields of the internet of things and wireless sensor networks, due to the openness of wireless communication signals, plaintext communication data are transmitted through the wireless signals, the communication data are easily intercepted and analyzed by a third party, so that critical data in a wireless network are leaked, a serious person can have illegal intruders pretending to intrude into the wireless network, the wireless network communication is abnormal, and the illegal purpose of malicious intruders is achieved.
Although a small number of products encrypt upgrading programs and communication data at present, so that the safety of equipment is guaranteed, if international common symmetric encryption algorithms such as DES (data encryption standard) and AES (advanced encryption standard) are adopted for data encryption in the Internet of things, wireless sensor networks and embedded systems, the encryption and decryption efficiencies are very low due to the code space of an embedded CPU (central processing unit) processor and the operation speed of the processor; if a simple single encryption technology is adopted, the encryption technology is easy to be cracked by a malicious third party, and therefore the purpose of encryption cannot be achieved.
Disclosure of Invention
The invention aims to provide a method for encrypting an upgrading program and communication data of wireless network equipment, which is a simple and efficient encryption method, utilizes simple shift, XOR and interpolation algorithms and is matched with SHA256 encryption hardware to realize the encryption of the upgrading program and the communication data of equipment in the Internet of things, a wireless sensor network and an embedded system, occupies less code space of an embedded CPU processor, has lower requirement on the operation speed of the processor, can adopt a very low-cost processor to realize the encryption of the upgrading program and the communication data, can realize the identification of a signature and the verification of the integrity of the data in the data communication process, and ensures the safety of equipment communication and the integrity of the data.
In order to solve the problems existing in the background technology, the invention adopts the following technical scheme: the invention has disclosed a method for upgrading the procedure to the wireless network equipment at first, there are field upgrading mode and long-range upgrading mode to the procedure upgrading of the wireless network equipment, the field upgrading mode is to upgrade the wireless network equipment in the near field of application through the handheld upgrading terminal, the mode writes the encrypted cipher text of the upgrading procedure into the handheld upgrading terminal through the wired communication interface of the PC computer, the handheld upgrading terminal sends the encrypted cipher text of the upgrading procedure to the apparatus to be upgraded through the wireless signal and upgrades; the remote upgrading mode is to utilize a remote server to carry out remote upgrading of the equipment through wireless network communication, and the mode sends an upgrading program encryption ciphertext to the equipment to be upgraded through a wireless network channel through the remote server to carry out upgrading; in the two upgrading modes, a handheld upgrading terminal or a remote server which sends an upgrading program encryption ciphertext is named as upgrading service equipment in a unified mode, and target wireless network equipment to be upgraded is named as upgrading terminal equipment.
As a further improvement of the invention, the upgrade service device and the upgrade terminal device comprise an embedded CPU processor, an SHA256 hash encryption chip and a wireless communication module or a wired communication interface,
the embedded CPU processor is used for executing the embedded code program, decrypting the encrypted file and encrypting and decrypting the communication data of the network equipment;
the SHA256 Hash encryption chip utilizes the hardware encryption chip to realize the safe storage and the quick Hash operation of the encryption and decryption keys, improves the speed, the efficiency and the safety of the encryption and decryption processing of programs and data, and can carry out the legality authentication of communication data;
the wireless communication module or the wired communication interface is used for receiving and transmitting the encrypted ciphertext upgrading program and transmitting and receiving communication instructions and data;
if the storage space in the embedded CPU processor is large enough, besides the CPU executes codes, the space in the embedded CPU processor is enough to store the upgrade program encryption ciphertext, an extended FLASH memory is not needed to be selected, and if the storage space in the embedded CPU processor is too small, the embedded CPU processor can be externally connected with an extended FLASH memory with large capacity and used for storing the received upgrade program encryption ciphertext.
The invention also provides a method for encrypting the communication data of the upgrading program of the wireless network equipment, and the upgrading program encryption and upgrading process comprises the following steps:
(a) compiling and testing the upgrading program codes at a PC computer and generating a binary upgrading program plaintext file;
(b) encrypting the binary upgrading program file by adopting an encryption step to generate an encrypted ciphertext and encrypted abstract data;
(c) transmitting and sending the encrypted ciphertext to an equipment manager;
(d) the equipment management personnel sends the upgrade program encrypted ciphertext to the upgrade terminal equipment for storage by using a field upgrade mode or a remote upgrade mode, and verifies the encrypted ciphertext;
(e) the remote server sends an upgrading decryption instruction and the encrypted summary data to the upgrading terminal equipment through a remote wireless network;
(f) after receiving the upgrading decryption instruction and the encrypted abstract data, the upgrading terminal equipment decrypts the stored upgrading encrypted ciphertext;
(g) after the encrypted ciphertext of the upgrading program is decrypted, the plaintext of the upgrading program is verified;
(h) after the plaintext is verified correctly, the decrypted program plaintext can be written into the code execution area of the embedded CPU processor as an upgrading program code, and a new upgrading program is started to be executed.
The decryption operation is the reverse of the encryption operation; in order to ensure the reliability of decryption and verification of the program upgrading program, the upgrading terminal device divides A, B the code execution area into 2 storage areas for alternately storing the currently executed original program code and the new upgrading program code.
As a further improvement of the present invention, the encryption steps are as follows:
(1) data packet preprocessing: grouping upgrade program codes according to 32 bytes, utilizing the upgrade program plaintext abstract to perform data interpolation and supplement on data which is less than 32 bytes, wherein the interpolation and supplement method is to perform data interpolation and supplement on the 1 st and 2 nd bytes of the plaintext abstract multiplied by a supplement factor n% of the plaintext length as a supplement position, the 2 nd byte of the plaintext abstract multiplied by a supplement data 1, perform data interpolation and supplement on the 2 nd byte of the plaintext abstract multiplied by a supplement factor n% as a supplement position, the 3rd byte of the plaintext abstract multiplied by a supplement data 2 as a supplement position, perform data interpolation and supplement on the 3rd byte of the plaintext abstract, sequentially and circularly perform interpolation and supplement to complete 32-byte grouping processing, record 8-bit supplement factor n and 8-bit interpolation and supplement number as 16-bit supplement abstract, record one and only 1 supplement abstract in the whole upgrade program data encryption process, and fill the supplement abstract by 0x00 for the upgrade program which does not need interpolation and supplement;
(2) data exclusive-or encryption processing: selecting an initial KEY KEYn according to a 4-bit random XOR initial sequence number by using encryption KEYs KEY 1-16 according to sequence numbers from small to large, calculating a 4-bit random XOR shift digit multiplied by an XOR encryption processing time as a shift digit m, circularly shifting the KEY KEYn to the right according to the shift digit m, and then performing XOR encryption processing on the first 32-byte grouped data; and then carrying out exclusive-or encryption processing on the second 32-byte grouped data after carrying out right-hand cyclic shift on KEYn +1, carrying out exclusive-or encryption processing on each 32-byte grouped data after cyclically using KEY 1-16 in sequence, carrying out exclusive-or encryption processing on each 32-byte grouped data after completing one round of 16 encryption KEYs, still carrying out exclusive-or encryption processing according to the number of 4-bit random exclusive-or shift bits multiplied by the number of exclusive-or encryption processing times when carrying out cyclic exclusive-or processing again, carrying out exclusive-or encryption processing on each KEY KEY after circularly shifting each KEY right-hand according to the number of shift bits m, recording a 4-bit random exclusive-or starting sequence number and 8-bit random exclusive-or digest of 4-bit random exclusive-or shift bits, recording one exclusive-or digest when carrying out exclusive-or encryption processing once, recording a plurality of exclusive-or digests when selecting 4-bit random exclusive-or shift bits, selecting 3 bits, 3 bits as much as possible, and carrying out exclusive-or encryption processing when selecting 4-or shift bits, The 5-bit, 7-bit, 11-bit and 13-bit prime numbers are used as the XOR shift number, and the prime numbers can ensure that the XOR values obtained after each shift are different during cyclic shift, so that the encryption safety is improved; the method selects 1-16 KEY KEYs for XOR encryption when carrying out XOR encryption processing and selecting the KEY according to the sequence number from small to large, can also be all 16 KEY, can also participate in XOR encryption by less than 16 partial KEY KEYs, and records that the selected KEY participates in XOR encryption, the first XOR encryption processing selects all 16 KEY KEYs to participate in XOR encryption, the number of the selected KEY in the subsequent XOR encryption processing is determined according to the random interpolation number in the following step 5, and the number of the XOR encryption and the number of the interpolation encryption and the sequence number of the KEY are ensured to be the same;
(3) and (3) interpolation data processing: after the XOR encryption processing is finished, assigning a 4-bit random XOR shift digit to a 4-bit interpolation KEY shift digit, circularly shifting each encryption KEY KEY participating in the XOR encryption recorded in the step 2 to the left by using the 4-bit interpolation KEY shift digit, generating INS 1-16 interpolation data for subsequent interpolation processing, and filling corresponding INS of the KEY not participating in the XOR encryption as 0;
(4) data equivalence preprocessing: the data obtained after the XOR encryption processing of the encrypted data has a certain probability and the same value as INS 1-16 interpolation data, and the decryption can be wrong when the subsequent interpolation processing is carried out, so the step carries out the data same value preprocessing, if a certain 32-byte data block and INS 1-16 interpolation data phase values traverse the whole encrypted data, the 32-byte data block is circularly moved to the left according to random same value shift digits, so that the data body is different from 16 interpolation data, the initial position of 27-bit same value data and the 5-bit random same value shift digits are recorded as the same value abstract, a plurality of same value data bodies may exist in the same value preprocessing process every time, or the same value data bodies may not exist, 0x00000000 filling record is adopted for the condition that the same value data bodies do not exist, and 1-n same value abstracts are ensured to be recorded in the same value preprocessing process every time;
(5) data interpolation encryption processing: after the same value processing is carried out, inserting INS 1-16 interpolation data into the encrypted data randomly, wherein the inserting position is the random position insertion with 1-256 byte alignment randomly in the whole data space, the inserting number is the number participating in the XOR encryption KEY, the inserted data content is selected from 16 INS 1-16 interpolation data randomly, the INS with the INS data value of 0 is not inserted, the same INS interpolation data is ensured not to be inserted twice, and the probability of obtaining a secret KEY by adopting a matching mode is avoided; in order to ensure the security of encryption, the method has the advantages that 4 factors of random byte alignment numbers and random insertion positions of inserted INS data, random selection of contents of the inserted INS data and random number of the inserted INS data influence the result of each interpolation encryption during interpolation processing; when the encrypted ciphertext is decrypted, along with the gradual increase of the decryption difficulty and the gradual decrease of the random byte alignment number, when the aligned byte number is 1, the decryption difficulty of the ciphertext of the upgrading program is the largest, the safety degree of the ciphertext is the highest, and the random byte alignment number is recorded as an interpolation abstract;
(6) and data repeated encryption processing: after the KEY is inserted once, repeating the steps 2-5 to perform the next round of encryption processing, wherein the repeated encryption times are determined according to the 16-bit random repetition times, the size of the encrypted upgrade program ciphertext can be controlled to be a predefined value by adjusting the 16-bit random repetition times and the random interpolation number in the step 5 interpolation encryption processing, the 16-bit random encryption repetition times are recorded as 16-bit repeated digests, and one and only 1 repeated digests are recorded in the whole upgrade program data encryption process;
and (3) encrypting binary data of the upgrading program with high safety through the steps (1) to (6), generating two data blocks after the upgrading program is encrypted, wherein one data block is encrypted ciphertext data of the upgrading program, and the other data block is encrypted abstract data, and the two encrypted data blocks are sent to an upgrading equipment terminal through different ways to decrypt the upgrading program.
The method combines a complementary digest, an exclusive-or digest, an homonymous digest, an interpolation digest, a repeated digest and a plaintext digest which are recorded in the encryption process of an upgrading program into an encrypted digest data block, wherein the encrypted digest data block is key data decrypted by the upgrading program and is transmitted to wireless network equipment through a wireless network channel which is authenticated safely; the invention discloses an encrypted abstract data block organization format, which comprises the following steps according to the arrangement sequence: 1. a plaintext abstract, which occupies 4 bytes with 256bit length; 2. filling the abstract, and occupying 2 bytes and 16 bits; 3. repeating the abstract and occupying 2 bytes with the length of 16 bits; 4. the XOR abstract is encrypted circularly for the first time, and 1 byte and 8bit length are occupied; 5. the interpolation abstract is circularly encrypted for the first time, and 1 byte and 8bit length are occupied; 6. the number of the homonymous digests is circularly encrypted for the first time, and the homonymous digests occupy 2 bytes and have the length of 16 bits; 7. the first time of circularly encrypting a first value, a second value and an nth value of the homonymous digest, wherein each value occupies 4 bytes of 32 bits; 8. the XOR abstract is circularly encrypted for the second time, and 1 byte and 8bit length are occupied; 9. circularly encrypting the interpolation abstract for the second time, wherein the interpolation abstract occupies 1 byte and 8 bits in length; 10. the number of the homonymous digests is circularly encrypted for the second time, and the homonymous digests occupy 2 bytes and have the length of 16 bits; 11. circularly encrypting a first value, a second value and an nth value of the identical value summary for the second time, wherein each value occupies 4 bytes of 32 bits; 12. and the like, and circularly encrypting the summary data for the third time to the nth time.
After the technical scheme is adopted, the invention has the following beneficial effects:
1. the system is used for encrypting the upgrading program of the embedded CPU processor of the wireless network equipment, so as to ensure the safety and confidentiality of the binary code of the upgrading program in the processes of external release and transmission after the compiling test is finished, avoid the malicious copying and copying of the binary code by a third party and ensure the safety of each technology of an enterprise;
2. and data in the communication process of the wireless network equipment is encrypted, so that the reliable communication of the legal wireless network equipment is ensured, the stealing of the wireless network communication data and the illegal invasion attack of the wireless communication network by the malicious equipment and devices of a third party are avoided, the confidentiality, the anti-theft property and the anti-attack property of the wireless network communication data are ensured, and the robustness, the safety and the reliability of the wireless network are improved.
3. The method describes the encryption of the upgrade program of the wireless network equipment, and since the upgrade program is also a binary data block, all the encryption methods can be used for the encryption of any binary data block;
4. in the SHA256 Hash encryption chip with the length of 256 bits adopted in the encryption method, the encryption key is 32 bytes, the packets in the encryption process are all 32 byte packets, if the SHA Hash encryption chip with the length of 512 bits is adopted, the encryption key is 64 bytes, and the encryption packets can be 64 bytes, so the encryption key length of the encryption method corresponds to the encryption process packet length and is not limited to the length of 256 bits.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of the upgrading service device and the upgrading terminal device according to the present invention;
FIG. 2 is a flowchart of the upgrade program encryption and upgrade of the present invention;
FIG. 3 is a diagram of the encryption steps of the present invention;
FIG. 4 is a block organization diagram of encrypted digest data according to the present invention;
FIG. 5 is a flowchart illustrating a process for enhancing security when encrypting an upgrade program according to the present invention;
FIG. 6 is a diagram of a KEY matching extraction procedure based on SHA256 operation rule design of an encryption chip according to the present invention;
FIG. 7 is a diagram illustrating the steps of requesting and decrypting the encrypted digest data of the upgrade terminal device according to the present invention;
fig. 8 is a block diagram of a wireless network device in an embodiment of the present invention;
FIG. 9 is a partition diagram of the interior of a CPU processor in accordance with an embodiment of the present invention;
FIG. 10 is a diagram of the transmission steps of an upgrade program in an embodiment of the present invention;
FIG. 11 is a diagram illustrating the relationship between a program compiling computer, a remote server, an upgrade program terminal, and a wireless communication network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments. It should be understood that the detailed description and specific examples, while indicating the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1 to 7, the following technical solutions are adopted in the present embodiment: firstly, a method for upgrading a program of wireless network equipment is disclosed, the program upgrading of the wireless network equipment comprises a field upgrading mode and a remote upgrading mode, the field upgrading mode is that the wireless network equipment is subjected to application field short-distance upgrading by a handheld upgrading terminal, the mode writes an upgrading program encryption ciphertext into the handheld upgrading terminal through a wired communication interface of a PC computer, and the handheld upgrading terminal sends the upgrading program encryption ciphertext to the equipment to be upgraded through a wireless signal for upgrading; the remote upgrading mode is to utilize a remote server to carry out remote upgrading of the equipment through wireless network communication, and the mode sends an upgrading program encryption ciphertext to the equipment to be upgraded through a wireless network channel through the remote server to carry out upgrading; in the two upgrading modes, a handheld upgrading terminal or a remote server which sends an upgrading program encryption ciphertext is named as upgrading service equipment in a unified mode, and target wireless network equipment to be upgraded is named as upgrading terminal equipment.
Referring to fig. 1, the upgrade service device and the upgrade terminal device include an embedded CPU processor, an SHA256 hash encryption chip, and a wireless communication module or a wired communication interface, where the embedded CPU processor is used to execute an embedded code program, decrypt an encrypted file, and encrypt and decrypt network device communication data; the SHA256 Hash encryption chip utilizes the hardware encryption chip to realize the safe storage and the quick Hash operation of the encryption and decryption keys, improves the speed, the efficiency and the safety of the encryption and decryption processing of programs and data, and can carry out the legality authentication of communication data; the wireless communication module or the wired communication interface is used for receiving and transmitting the encrypted ciphertext upgrading program and transmitting and receiving communication instructions and data; if the storage space in the embedded CPU processor is large enough, besides the CPU executes codes, the space in the embedded CPU processor is enough to store the upgrade program encryption ciphertext, an extended FLASH memory is not needed to be selected, and if the storage space in the embedded CPU processor is too small, the embedded CPU processor can be externally connected with an extended FLASH memory with large capacity and used for storing the received upgrade program encryption ciphertext.
Referring to fig. 2, the present embodiment further provides a method for encrypting communication data of an upgrade program of a wireless network device, where the upgrade program encryption and upgrade process are as follows:
(a) compiling and testing the upgrading program codes at a PC computer and generating a binary upgrading program plaintext file;
(b) encrypting the binary upgrading program file by adopting an encryption step to generate an encrypted ciphertext and encrypted abstract data;
(c) transmitting and sending the encrypted ciphertext to an equipment manager;
(d) the equipment management personnel sends the upgrade program encrypted ciphertext to the upgrade terminal equipment for storage by using a field upgrade mode or a remote upgrade mode, and verifies the encrypted ciphertext;
(e) the remote server sends an upgrading decryption instruction and the encrypted abstract data to the upgrading terminal equipment through a remote wireless network;
(f) after receiving the upgrading decryption instruction and the encrypted abstract data, the upgrading terminal equipment decrypts the stored upgrading encrypted ciphertext;
(g) after the encrypted ciphertext of the upgrading program is decrypted, the plaintext of the upgrading program is verified;
(h) after the plaintext is verified correctly, the decrypted program plaintext can be written into the code execution area of the embedded CPU processor as an upgrading program code, and a new upgrading program is started to be executed.
The decryption operation is the reverse of the encryption operation; in order to ensure the reliability of decryption and verification of the program upgrading program, the upgrading terminal device divides A, B the code execution area into 2 storage areas for alternately storing the currently executed original program code and the new upgrading program code.
When encrypting the upgrade program, three critical data are involved, which are:
1. 16 encryption KEYs KEY 1-16, wherein the 16 encryption KEYs can select 16 different 32-byte random data encryption as KEYs, or 16 different 32-byte fragments in a certain critical binary code library in program codes of wireless network equipment as encryption KEYs, the 16 encryption KEYs are all burnt into an SHA256 encryption chip by a hardware burning tool and fused, so that the encryption KEYs in the SHA256 encryption chip can not be illegally read by the outside, in addition, 4 KEYs are randomly selected as initial KEYs, the 4 initial KEY bytes are solidified into an embedded CPU processor for the initial decryption of an upgrading program and the initial authentication of data communication, and the 4 randomly selected KEYs are named as initial solidified KEYs;
2. the data is the plaintext abstract calculated by the upgrade program plaintext through the SHA256 Hash algorithm, and is used for verifying and judging the legality of a plaintext file after the upgrade program ciphertext is decrypted and restored to form the plaintext, and the plaintext abstract data is added in the encrypted abstract data and is sent to the upgrade equipment terminal;
3. and encrypting the summary data, wherein the data is encryption critical data generated in the process of encrypting the upgrade program plaintext, and the upgrade program plaintext can be effectively decrypted only by the data.
Before the upgrading program and the key binary code library are encrypted, SHA256 operation is performed on the plaintext of the whole upgrading program and the key binary code library once to generate a plaintext abstract of 32 bytes, the plaintext abstract is used for the subsequent encryption processing of the upgrading program and the key binary code library, and the consistency verification is performed on the decrypted plaintext file after decryption.
When a certain key binary code base is selected as an encryption key, the key binary code base is grouped according to 32 bytes, 16 different 32-byte code segments are randomly grouped and extracted to be used as the encryption key, then the 16 extracted segments are filled by adopting 0xFF, and the filled binary code base can be burnt and written into a CPU (central processing unit) processor as a library file of an embedded program and can also be encrypted together with an upgrading program; by the method, partial code fragments of the key binary code library can be stored in the encryption chip, so that the security and confidentiality of the key binary code are ensured; after the upgrade program is decrypted, 16 encryption KEYs KEY can be obtained, then the critical binary code base can be restored by replacing 16 fragments filled with 0xFF, and the critical binary code base can be normally called after the upgrade program is decrypted.
The invention only uses several common simple grouping, exclusive or, shift, interpolation operation and SHA256 encryption chip hash operation to the upgrade program encryption, realizes the encryption of the whole upgrade program code binary data, and has simple encryption operation and high encryption safety; referring to fig. 3, the upgrade program of the present invention encrypts as follows:
1. data packet preprocessing: grouping upgrade program codes according to 32 bytes, utilizing the upgrade program plaintext abstract to interpolate and complement data of less than 32 bytes, the interpolating and complementing method is that the 1 st and 2 nd bytes of the plaintext abstract multiplied by the complementing factor n% plaintext length is the complementing position, the 2 nd byte of the plaintext abstract is the complementing data 1 to interpolate and complement data, the 2 nd and 3rd bytes of the plaintext abstract multiplied by the complementing factor n% plaintext length is the complementing position, the 3rd byte of the plaintext abstract is the complementing data 2 to interpolate and complement data, and circularly interpolating and complementing in sequence, to complete 32-byte grouping processing, the invention records 8-bit padding factor n and 16-bit padding summary of 8-bit interpolation padding number, during the whole updating program data encryption process, recording one and only 1 completion summary, and filling the completion summary by adopting 0x00 for an upgrading program without interpolation completion;
2. data exclusive-or encryption processing: selecting an initial KEY KEYn according to a 4-bit random XOR initial sequence number by using encryption KEYs KEY 1-16 according to sequence numbers from small to large, calculating a 4-bit random XOR shift digit multiplied by an XOR encryption processing time as a shift digit m, circularly shifting the KEY KEYn to the right according to the shift digit m, and then performing XOR encryption processing on the first 32-byte grouped data; and then carrying out XOR encryption processing on the second 32-byte grouped data after carrying out right cyclic shift on KEYn +1, carrying out XOR encryption processing on each 32-byte grouped data after sequentially and cyclically using KEY 1-16, carrying out XOR encryption processing on each 32-byte grouped data after completing one round of 16 encryption KEYs, carrying out XOR encryption processing on each 32-byte grouped data after carrying out cyclic shift on each KEY KEY right according to the shift bit number m, recording a 4-bit random XOR initial sequence number and a 4-bit random XOR shift bit number as 8-bit XOR digests, recording one XOR digest when carrying out XOR encryption processing once, recording a plurality of digests XOR when carrying out XOR encryption processing for a plurality of times, and selecting 3-bit random XOR shift bit number as much as possible when selecting 4-bit random XOR shift bit number, The 5-bit, 7-bit, 11-bit and 13-bit prime numbers are used as the XOR shift number, and the prime numbers can ensure that the XOR values obtained after each shift are different during cyclic shift, so that the encryption safety is improved; the method selects 1-16 KEY KEYs for XOR encryption when carrying out XOR encryption processing and selecting the KEY according to the sequence number from small to large, can also be all 16 KEY, can also participate in XOR encryption by less than 16 partial KEY KEYs, and records that the selected KEY participates in XOR encryption, the first XOR encryption processing selects all 16 KEY KEYs to participate in XOR encryption, the number of the selected KEY in the subsequent XOR encryption processing is determined according to the random interpolation number in the following step 5, and the number of the XOR encryption and the number of the interpolation encryption and the sequence number of the KEY are ensured to be the same;
3. and (3) interpolation data processing: after the XOR encryption processing is finished, assigning a 4-bit random XOR shift digit to a 4-bit interpolation KEY shift digit, circularly shifting each encryption KEY KEY participating in the XOR encryption recorded in the step 2 to the left by using the 4-bit interpolation KEY shift digit, generating INS 1-16 interpolation data for subsequent interpolation processing, and filling corresponding INS of the KEY not participating in the XOR encryption as 0;
4. data equivalence pretreatment: the data obtained after the XOR encryption processing of the encrypted data has a certain probability and the same value as INS 1-16 interpolation data, and the decryption can be wrong when the subsequent interpolation processing is carried out, so the step carries out the data same value preprocessing, if a certain 32-byte data block and INS 1-16 interpolation data phase values traverse the whole encrypted data, the 32-byte data block is circularly moved to the left according to random same value shift digits, so that the data body is different from 16 interpolation data, the invention records the initial position of 27-bit same value data and the 5-bit random same value shift digits as same value abstracts, a plurality of same value data bodies can exist in the same value preprocessing process every time, or the same value data bodies can not exist, and 0x0000 filling record is adopted for the condition that the same value data bodies do not exist, so that 1-n same value abstracts are recorded in the same value preprocessing process every time;
5. data interpolation encryption processing: after the same value processing is carried out, inserting INS 1-16 interpolation data into the encrypted data randomly, wherein the inserting position is the random position insertion with 1-256 byte alignment randomly in the whole data space, the inserting number is the number participating in the XOR encryption KEY, the inserted data content is selected from 16 INS 1-16 interpolation data randomly, the INS with the INS data value of 0 is not inserted, the same INS interpolation data is ensured not to be inserted twice, and the probability of obtaining a secret KEY by adopting a matching mode is avoided; in order to ensure the security of encryption, the method has the advantages that 4 factors of random byte alignment numbers and random insertion positions of inserted INS data, random selection of contents of the inserted INS data and random number of the inserted INS data influence the result of each interpolation encryption during interpolation processing; when the encrypted ciphertext is decrypted, along with the gradual increase of the decryption difficulty and the gradual decrease of the random byte alignment number, when the aligned byte number is 1, the decryption difficulty of the ciphertext of the upgrading program is the largest, the safety degree of the ciphertext is the highest, and the random byte alignment number is recorded as an interpolation abstract;
6. data repeated encryption processing: after the KEY is inserted once, the next round of encryption processing can be carried out repeatedly in the steps 2-5, the repeated encryption times are determined according to the 16-bit random repetition times, the size of the encrypted upgrade program ciphertext can be controlled to be a predefined value by adjusting the 16-bit random repetition times and the random interpolation number in the step 5 interpolation encryption processing, the 16-bit random encryption repetition times are recorded as 16-bit repeated digests, and one and only 1 repeated digests are recorded in the whole upgrade program data encryption process;
the binary data encryption of the upgrading program with high safety can be realized through the steps 1-6, after the upgrading program is encrypted, two data blocks can be generated, wherein one data block is the encrypted ciphertext data of the upgrading program, and the other data block is the encrypted abstract data, and the two encrypted data blocks are sent to the terminal of the upgrading device through different ways to decrypt the upgrading program.
The method combines a complementary digest, an exclusive-or digest, an homonymous digest, an interpolation digest, a repeated digest and a plaintext digest which are recorded in the encryption process of an upgrading program into an encrypted digest data block, wherein the encrypted digest data block is key data decrypted by the upgrading program and is transmitted to wireless network equipment through a wireless network channel which is authenticated safely; referring to fig. 4, the organization format of the encrypted digest data blocks according to the present invention is as follows: 1. a plaintext abstract, which occupies 4 bytes with 256bit length; 2. filling the abstract, and occupying 2 bytes and 16 bits; 3. repeating the abstract and occupying 2 bytes with the length of 16 bits; 4. the XOR abstract is encrypted circularly for the first time, and 1 byte and 8bit length are occupied; 5. the interpolation abstract is circularly encrypted for the first time, and 1 byte and 8bit length are occupied; 6. the number of the homonymous digests is circularly encrypted for the first time, and the homonymous digests occupy 2 bytes and have the length of 16 bits; 7. the first time of circularly encrypting a first value, a second value and an nth value of the homonymous digest, wherein each value occupies 4 bytes of 32 bits; 8. the XOR abstract is circularly encrypted for the second time, and 1 byte and 8bit length are occupied; 9. circularly encrypting the interpolation abstract for the second time, wherein the interpolation abstract occupies 1 byte and 8 bits in length; 10. the number of the identical value abstracts of the second circular encryption occupies 2 bytes with the length of 16 bits; 11. circularly encrypting a first value, a second value and an nth value of the identical value summary for the second time, wherein each value occupies 4 bytes of 32 bits; 12. and the like, and circularly encrypting the summary data for the third time to the nth time.
Referring to fig. 5, when encrypting the upgrade program, the present invention performs a series of processes for enhancing security in order to enhance security of the encrypted ciphertext and enhance encryption strength:
1. the encryption program of the invention establishes an encryption key pool which comprises a plurality of 32-byte encryption keys, and when upgrading program encryption is carried out aiming at different clients and different wireless network devices, different 16 32-byte encryption keys are selected to encrypt the upgrading program;
2. the invention carries out SHA256 Hash operation on the plaintext abstract of the upgrading program, the client information, the hardware ID of an encryption processing device and the encryption time information, inputs the Hash result as a random number seed into a random number generator, generates 9 types of random numbers which are different and are used for the encryption operation of the upgrading program, wherein the 9 types of random numbers are as follows: random completion factor n, random XOR starting sequence number, random XOR shift digit, random parity shift digit, random byte alignment number, random interpolation position, random interpolation content selection, random interpolation number and random encryption repetition number;
3. when data is encrypted, 32-byte KEY encryption KEYs are adopted to carry out exclusive-or encryption on 32-byte groups of encrypted data, the length of the exclusive-or encryption KEY is 32 bytes and 256 bits long, and the length of the KEY is the same as that of the data, so that the safety of the exclusive-or encryption is ensured; moreover, different 32-byte data packets are subjected to exclusive-or encryption after being shifted by different KEY encryption KEYs, 3-bit, 5-bit, 7-bit, 11-bit and 13-bit prime numbers are selected as 4-bit random exclusive-or shift bits each time, and the shift bits can be calculated to ensure that the exclusive-or encryption KEYs shifted each time are different as much as possible, so that the encryption strength is improved;
4. when data interpolation is carried out, because INS interpolation data inserted each time are obtained by shifting the KEY encryption KEY, the KEY encryption KEY cannot be obtained in a traversal mode under the condition that the number of shifting bits of the interpolation KEY in the encrypted digest data is not determined;
5. according to the invention, because the XOR encryption processing and the interpolation encryption processing are repeatedly carried out for a plurality of times, the XOR KEY and the interpolation data are randomly shifted by the KEY 1-16 encryption KEYs each time, the number of the interpolation data is different each time, the original data are alternately covered in the repeated encryption process, and the plaintext of the data can hardly be solved under the condition that the random number in the encryption process is unknown;
6. when data interpolation is carried out, the number of the inserted INS data is 1-15 INS data, but not all 16 INS data, and it is guaranteed that 16 KEY encryption KEYs can be completely extracted after repeated interpolation data extraction and reverse decryption XOR.
The encryption method is used for encrypting an upgrading program or a critical binary code, and the security of a ciphertext obtained by encrypting the upgrading program or the critical binary code is increased in number of stages to achieve the strength of absolute security if the number of the encryption chips in the wireless network equipment is increased or the number of the encryption KEYs stored in each encryption chip is increased, so that the total number of the 32-byte KEY encryption KEYs in each equipment reaches 32, 64, 128, 256 or even more, and the total bit length of the KEYs is 8192bit, 16384bit, 32768bit or 65536bit or even more; and the larger the critical binary code library fragment that can be stored.
When more KEY encryption KEYs need to be stored, a CPU processor with a read protection fusing mechanism can be adopted to carry out SHA hash operation to undertake the task of a hardware encryption chip, the larger the FLASH storage space in the encryption CPU processor is, the more KEY encryption KEYs can be stored, for example, a 128K-byte CPU processor can store about 4000 SHA256 encryption KEYs with 32 bytes, and can store 2000 SHA512 encryption KEYs with 64 bytes after an SHA256 hash algorithm is upgraded to an SHA512 algorithm; in order to ensure the communication efficiency and encryption and decryption efficiency between the CPU and the encryption CPU in operation, the two CPUs can adopt high-speed SPI communication or USB communication, and the encryption intensity and encryption and decryption speed are greatly improved; after the Hash operation is upgraded to the SHA512 from the SHA256, the encryption method of the invention is not changed, and the higher security encryption can be realized only by upgrading the packet with 32 bytes in the packet preprocessing in the encryption process to the packet with 64 bytes.
The invention can extract all KEY encryption KEYs through decryption operation, and after all the KEY encryption KEYs are extracted, if the encryption KEYs are KEY binary code library segments, the KEY binary code library segments can be inserted into a KEY code library to replace 0xFF filling values, so that the integrity of the KEY binary code library can be recovered, and the KEY binary code library is called by an upgrading program to perform code library.
The invention combines the completion summary, the exclusive-or summary, the homonymous summary, the interpolation summary, the repeated summary and the plaintext summary recorded in the encryption process of the upgrading program into an encryption summary data block, wherein the encryption summary data block is key data decrypted by the upgrading program and is transmitted to wireless network equipment through a wireless network channel which is authenticated safely.
The decryption operation of the upgrade program encrypted ciphertext is a reverse operation process of the encryption operation, but in the reverse operation process of the decryption, an INS value in an interpolation process needs to be extracted and rejected firstly, because the INS value is obtained by shifting according to a KEY encryption KEY in an encryption chip, a shifting bit number can be obtained by encrypting digest data, but in order to enhance the strength of an encryption algorithm, the encryption chip is set to be not allowed to read the KEY encryption KEY from the encryption chip directly, and 32 bytes of data are input into the encryption chip through an SHA256 encryption algorithm to be matched with the KEY in the encryption chip to verify and extract the encryption KEY, so that the INS value in the interpolation process is rejected smoothly;
referring to fig. 6, the KEY matching and extracting steps designed based on the SHA256 operation rule of the cryptographic chip according to the present invention are as follows:
1. the embedded CPU processor obtains 32-byte DATA DATA to be decrypted and matched;
2. the embedded CPU processor sends an instruction A to the encryption chip, a random number TMP is generated inside the encryption chip, and a temporary Hash value TMP _ SHA is generated by using SHA256 hardware arithmetic logic;
3. the embedded CPU processor reads the temporary Hash value TMP _ SHA and carries out SHA256 operation with the matched DATA DATA to be decrypted to generate a new Hash value DATA _ SHA;
4. the embedded CPU processor sends an instruction B to the encryption chip, and the encryption chip utilizes SHA256 hardware arithmetic logic to calculate TMP _ SHA and KEY1 to generate a KEY1_ SHA which is output to the CPU;
5. the embedded CPU processes and compares DATA _ SHA and KEY1_ SHA, and according to the design principle inside the encryption chip, as long as DATA _ SHA and KEY1_ SHA are the same, KEY1 and DATA can be determined to be the same, namely the DATA is matched as a KEY1 KEY in the encryption chip;
6. if the DATA _ SHA and the KEY1_ SHA are different, the loop step 4 performs hash operation on KEY2, matches KEY2_ SHA and DATA _ SHA, and matches all 16 KEYs in the encryption chip, if a proper KEY is matched, the DATA is a certain KEY, and if not, the DATA is not an encryption KEY; in the invention, all 16 encryption KEYs KEY 1-16 are traversed, an SHA256 algorithm is adopted in the communication process of a CPU (Central processing Unit) processor and an encryption chip, random numbers are added to participate in operation, the communication between the CPU processor and the encryption chip is not directly interacted with DATA and KEYn, and random numbers TMP (Trimethoprim) are used for carrying out Hash operation with the DATA and the KEYn, so that the DATA content of each interaction is different, and an illegal invader is prevented from obtaining the DATA and the KEY by a hardware capture method; but by this method it is possible to prove in turn that DATA is one of the encryption keys KEYn, thus enabling a matching extraction of the encryption key KEYn.
In the invention, the upgrade program encryption is carried out, because all KEY encryption KEYs are not inserted when interpolation encryption processing is carried out every time, but all KEY encryption KEYs are inserted for multiple times in the encryption process, and the KEY KEYs in an encryption chip can not be directly read out, so that when decryption operation is carried out, all the encryption KEYs need to be extracted according to data in an encryption summary, multiple rounds of circulation are carried out according to the KEY matching extraction steps to extract the KEY encryption KEYs and reject INS interpolation data, and the next operation of extracting the KEY KEYs and rejecting the INS interpolation data can be carried out only by carrying out XOR decoding after INS interpolation data are rejected every time until all the INS interpolation data are completely rejected, and all the KEY encryption KEYs can be extracted.
Key encrypted DIGEST DATA are required for decryption operation of the upgrade program encrypted ciphertext, the upgrade program encrypted ciphertext and the encrypted DIGEST DATA are transmitted to upgrade terminal equipment at different time and in different ways, the upgrade terminal equipment receives the upgrade program encrypted ciphertext and requests the remote server for encrypted DIGEST DATA to decrypt the encrypted ciphertext after receiving an upgrade instruction from a wireless network remote server; referring to fig. 5, the steps of updating the encrypted digest data request and decrypting the encrypted digest data of the terminal device are as follows:
1. the upgrading terminal equipment sends a request for encrypting the summary data to a wireless network remote server;
2. the wireless network remote server calculates the hash value DIGEST _ DATA _ SHA of the encrypted abstract DATA and the ID of the upgrading terminal equipment by using the hash algorithm of the SHA256 encryption chip;
3. the wireless network remote server calculates a USER temporary number USER _ ID _ TMP containing a random number by using the USER number USER _ ID of the upgrading terminal equipment and the random number TMP by using a Hash algorithm of an SHA256 encryption chip;
4. the remote wireless network remote server calculates the USER temporary serial number USER _ ID _ TMP and 2 random encryption keys KEya and KEYb into two temporary keys KEya _ SHA and KEYb _ SHA with 32 bytes by using a Hash algorithm of an SHA256 encryption chip;
5. the wireless network remote server performs exclusive or encryption processing on the encrypted DIGEST DATA DIGEST _ DATA by using temporary keys KEYa _ SHA and KEYb _ SHA to generate NEW encrypted DIGEST DATA DIGEST _ DATA _ NEW;
6. the wireless network remote server sends the USER temporary number USER _ ID _ TMP, the encrypted abstract DATA hash value DIGEST _ DATA _ SHA and the NEW encrypted abstract DATA DIGEST _ DATA _ NEW to the upgrading terminal equipment;
7. after the upgrade terminal device receives the USER temporary number USER _ ID _ TMP, the hash value of the encrypted DIGEST DATA DIGEST _ DATA _ SHA, and the NEW encrypted DIGEST DATA DIGEST _ DATA _ NEW, the temporary decrypted DATA KEY1_ SHA to KEY16_ SHA are obtained by using all KEYs KEY 1-16 and USER _ ID _ TMP in the encryption chip inside the upgrade terminal device and the hash algorithm of the SHA256 encryption chip, and the temporary decrypted DATA KEY1_ SHA to KEY16_ SHA are traversed to extract two decrypted DATA KEY _ SHA and KEY _ SHA;
8. then, carrying out XOR processing on DIGEST _ DATA _ NEW by KEYx _ SHA and KEYy _ SHA to restore encrypted DIGEST DATA DIGEST _ DATA _ X;
9. calculating a hash value DIGEST _ DATA _ X of the DATA DIGEST _ DATA _ X and the upgrading terminal equipment ID by using a hash algorithm of the SHA256 encryption chip;
10. and comparing the hash value of the encrypted DIGEST DATA sent from the remote server, namely DIGEST _ DATA _ SHA and DIGEST _ DATA _ SHA _ X, if the hash value of the encrypted DIGEST DATA sent from the remote server is equal to the hash value of the original encrypted DIGEST DATA, the restored encrypted DIGEST DATA DIGEST _ DATA _ X is the same as the original encrypted DIGEST DATA DIGEST _ DATA, namely, the encrypted DIGEST DATA can be used for decrypting the encrypted ciphertext of the upgrading program, and if the hash value of the encrypted DIGEST DATA is not the same, the steps 7-10 are repeated until the original encrypted DIGEST DATA is decrypted.
The invention solves the safety problem of plaintext transmission of the encrypted summary data between the remote server and the upgrading terminal equipment through the following key points:
1. generating two DATA of USER _ ID _ TMP and DIGEST _ DATA _ NEW by the random number of the remote server and sending the two DATA to the upgrading equipment terminal;
2, the upgrading equipment terminal conducts hash operation on temporary decrypted data produced by traversing all KEYs KEY 1-16 and USER _ ID _ TMP in an encryption chip in the equipment, extracts two decrypted data from the temporary decrypted data and completes decryption and restoration of the encrypted abstract data;
3. when the terminal equipment is upgraded each time to request for encrypting the summary DATA and encrypt the summary DATA as long as the DATA is decrypted, the random numbers TMP participating in the operation each time are different, and the generated USER _ ID _ TMP and DIGEST _ DATA _ NEW are different each time;
4. three DATA, namely USER _ ID _ TMP, DIGEST _ DATA _ NEW and DIGEST _ DATA _ SHA, are obtained through SHA256 Hash operation, the original DATA cannot be reversely and directly solved, and only all KEYs KEY 1-16 in an encryption chip can be traversed to complete encrypted DIGEST DATA restoration;
5. after the encrypted DIGEST DATA encrypted by the remote server is encrypted, an encryption KEY in the upgrading terminal equipment is stored in an encryption chip, and a KEY of the encryption chip cannot be read in any way, so that whether the selected KEY is correct during encryption can be known only after the intermediate result of SHA256 operation is compared and matched with three DATA information, namely USER _ ID _ TMP, DIGEST _ DATA _ NEW and DIGEST _ DATA _ SHA;
6. when DIGEST _ DATA _ SHA and DIGEST _ DATA _ SHA _ X are calculated, the ID of the upgrading equipment terminal participates in hash operation, the equipment ID is respectively stored in a remote server database and a hardware device of the upgrading equipment terminal, and an ID value does not need to be carried in an instruction for transmitting an encryption summary DATA request in a wireless network, so that the ID value of the upgrading terminal equipment is prevented from being leaked, the encryption strength is enhanced, if the ID of the upgrading terminal equipment is changed into an appointed dynamic DATA to participate in encryption operation, the DATA is dynamically changed in real time each time, and the difficulty of decrypting the encryption summary DATA is greatly improved;
7. the temporary KEY _ SHA for XOR encryption of the encryption abstract described in the invention is 232 bytes, and if the number of the temporary KEY _ SHAs for XOR encryption is increased to 4, 8 or more, the difficulty of reverse XOR decryption is multiplied; the 7-point measures are utilized to ensure the safe transmission of the encryption KEY data, even if an intruder intercepts the ciphertext data block of the encryption KEY under the condition of disclosing the encryption algorithm of the encryption KEY, the plaintext of the encryption KEY is difficult to decrypt under the condition that the KEY in the hardware of the encryption chip cannot be obtained, and the safety of data transmission is ensured.
The method described in the invention can not only carry out encryption and decryption operation of upgrading program, but also realize safe transmission of wireless network equipment communication data after encryption, the data encryption transmission steps with high security level are the same as the encryption transmission steps of the encrypted abstract data, if the encrypted data processing with high security level is not needed, the encryption steps can be simplified to carry out data safe transmission: 1. negotiating an encryption key serial number n between two devices; 2. the sending equipment performs hash operation by using a KEYn key and a serial number n check code in the encryption chip according to the key serial number n to generate a temporary key KEYn _ SHA; 3. the sending equipment performs exclusive or processing on data to be transmitted by using the temporary key KEYn _ SHA to generate encrypted data; 4. the sending equipment sends the encrypted data; 5. after receiving the encrypted data, the receiving device also generates a temporary key KEYn _ SHA according to the negotiated key sequence number n and the key KEYn; 6. the receiving device performs exclusive-or decryption on the received encrypted data according to the temporary key KEYn SHA.
The decryption operation of the upgrade program encrypted ciphertext is the inverse process of the encryption operation, and the decryption process has the following decryption key points: 1. when each round of decryption processing is carried out, corresponding XOR abstract, interpolation abstract and same value abstract need to be extracted from the encrypted abstract; 2. when the interpolation is removed, the interpolation sequence is interpolated from front to back according to the upgrading program, so when the interpolation is removed, all binary data need to be traversed reversely according to the byte alignment number from back to front according to the upgrading program to remove the interpolation; 3. the interpolation elimination method comprises the following steps: selecting a certain 32-byte packet INS in the encrypted ciphertext according to byte alignment, right shifting the packet INS according to the XOR shift bit number to obtain interpolation DATA DATA _ TMP, matching the DATA _ TMP with a KEY KEY in the encryption chip in a KEY matching mode, removing the interpolation DATA INS if the matching is correct, and recording the DATA _ TMP as the KEY KEY with a certain sequence number in the memory; in the subsequent elimination process, all KEY KEYs in the encryption chip are gradually matched, and after all the KEYs are matched, interpolation elimination can be directly carried out according to the matched DATA _ TMP KEY recorded in the memory, so that the speed of interpolation elimination is increased, the hardware communication frequency of the CPU processor and the encryption chip is reduced, and the KEY safety is improved; 3. and in the decryption of the packet preprocessing, the filling data inserted in the packet preprocessing process is removed in a backward-forward mode.
The invention encrypts the upgrading program and the data to produce two parts of an encrypted ciphertext and an encrypted abstract, and the two parts adopt different modes and ways for transmission, thereby ensuring the security of encrypted data, solving the problem that the distribution management of the encrypted KEY is easy to leak, even if the encrypted abstract data is leaked and cracked, the decryption operation also needs to use a KEY encrypted KEY in a hardware encrypted chip, the encrypted KEY is unreadable, and can only be extracted and identified by traversing and matching, under the condition of no hardware of the encrypted chip, the encrypted abstract data is cracked, but interpolation data and exclusive or decryption still cannot be removed from the encrypted ciphertext; the upgrading program and data encrypted by the encryption method have the defects of encryption ciphertext, encryption abstract and encryption key during decryption.
The encryption algorithm adopted by the invention can adjust the encryption intensity by increasing or decreasing the number of the encryption KEYs KEY stored in the encryption chip, and can also adjust the encryption intensity by increasing or decreasing the number of times of repeated encryption processing circulation, thereby making dynamic balance selection in the aspects of encryption intensity and encryption and decryption operation speed.
In the invention, a random number is added to each KEY KEY verification of the CPU processor and the encryption chip to carry out SHA256 Hash operation, so that even if the same KEY KEY is verified, the waveforms on hardware IO pins between the CPU processor and the encryption chip are different, and a third party cracker is prevented from analyzing the KEY to decrypt by capturing the waveform of the hardware IO pins of the equipment.
Example (b):
referring to fig. 8, the wireless network device of the present embodiment includes the following components:
1. an embedded CPU processor, which in this embodiment adopts an STM32F103RD chip, where a main clock of the chip processor is 72MHz, and an internal program code FLASH space is 384 Kbyte; the STM32F103RD CPU processor has an internal FLASH read protection mechanism, and can ensure that program codes stored in the CPU processor are not read by a third party;
2. an SHA256 encryption chip, in this embodiment, an ATSHA204 encryption chip is used as the SHA256 encryption chip, the encryption chip is connected with a CPU processor IO through an I2C bus for communication, and can store 16 32-byte encryption keys, and the encryption chip also has a read protection mechanism, and can protect the 16 encryption keys from being read out;
3. a wireless communication interface, in this embodiment, an SI4463 wireless communication module is used to implement wireless communication of the device;
4. the wired communication interface, which has 2 RS232 communication interfaces in this embodiment, adopts SP3232EEA chip, 1 RS485 communication interface, SP3485EN chip, 1 CAN bus communication interface, and 1 USB communication interface to communicate and transmit data with other devices;
5. the embodiment adopts an M25P32 FLASH memory to store the upgrade program encryption ciphertext, has a 4Mbyte storage space, adopts an SPI interface and a CPU processor to perform data interaction, and is used for storing the upgrade program encryption ciphertext transmitted through a wireless communication interface or a wired communication interface;
6. the power supply chip, which adopts the SPX1117M5 power management chip in this embodiment, is used to convert a 5V power supply into a 3.3V power supply, and to supply power to the CPU processor, the encryption chip, the wireless communication module, the extended FLASH memory, and other devices.
Referring to fig. 9, a 384Kbyte FLASH program code space inside the CPU processor of this embodiment is divided into five partitions, the first partition is 32Kbyte in size and is used to store boot and decryption codes, and the codes in the partitions are named boot codes in the present invention; the size of the second partition is 144Kbyte, and the second partition is used for storing decrypted upgrading program codes; the third partition is as large as the second partition and is used for storing and decrypting backups of the app codes running before upgrading, the third partition is named as an app-back backup partition, and after a certain upgrading program runs wrongly, the code in the app-back backup partition can be used for recovering to the program running in an old version; the fourth partition is 48Kbyte in size and is used for storing a key code library, and codes in the partition are named as lib codes; the fifth partition is 16Kbyte in size and is used to store configuration data for the operation of the device, and the invention names the data in this partition as cfg data.
Aiming at the division of FLASH space partitions with different sizes in different CPU processors, the invention firstly ensures that the boot size of a first partition is 32Kbyte, and the storage position is set to be the lowest address space of an internal FLASH; secondly, ensuring that the size of the cfg of the fifth sub-area is 16Kbyte, and setting the storage position in the highest address space of the internal FLASH; the size of the lib of the fourth partition is set according to the size of a key code library, the size of the lib is set to be 48Kbyte by default, if the key code library does not need to be called in the equipment, the size of the lib partition is not smaller than 48Kbyte, the purpose is to set an isolation area, it is ensured that the app-back backup code of the third partition does not cover cfg configuration data beyond the boundary, and reliability and stability in the upgrading operation process of the equipment are ensured; and finally, dividing the internal FLASH space of the rest CPU processor into two equal apps and two app-back partitions for storing the device running code.
If encryption with higher security strength is required, a plurality of ATSHA204 encryption chips can be expanded to store 32, 64, 128, 256 or more encryption keys, and 2, 4, 8, 16 or more encryption chips can be connected to a plurality of IO ports of a CPU for communication, so that the storage and management of more encryption keys are realized, the length of the encryption keys is increased, and the security strength of encryption is provided.
In this embodiment, the ATSHA204 encryption chip is used to store the encryption key, and when a plurality of ATSHA204 encryption chips are expanded, if the number of IO ports of the CPU processor is small, the ATSHA204 encryption chip may be connected in a communication manner using a 1-bit bus; if it is necessary to expand more than 256 encryption keys, another CPU processor STM8S007C8 chip may be used to perform SHA256 hash operation to make the encryption chip, where the processor has 64Kbyte storage space inside, but may store 2000 encryption keys of 32 bytes, 1000 encryption keys of 64 bytes, or a longer encryption key such as 128 bytes.
Referring to fig. 10, the transmission step of the upgrade program in the CPU processor internal FLASH and the extended FLASH memory is as follows:
1. firstly, receiving an upgrade program encryption ciphertext through a wireless communication interface or a wired interface, and writing the received encryption ciphertext data into an off-chip FLASH memory;
2. then sending an encrypted abstract request instruction to a remote server through a remote wireless network, after receiving the encrypted abstract request instruction, the remote server acquires an encrypted abstract and decrypts the encrypted abstract data according to the encrypted abstract data request and decryption steps of the invention, and stores the decrypted encrypted abstract data in the fifth sub-area cfg data of the CPU processor;
3. restarting the wireless remote equipment, executing the boot code, reading cfg data in the fifth partition in the boot code execution process, checking whether encryption abstract data exists, reading the extended FLASH memory, checking whether an upgrade program encryption key file exists, and verifying the encryption abstract and the upgrade program encryption key file;
4. if the verification of the encrypted abstract and the upgrade program encrypted key file exist, executing decryption operation, and if the verification fails, executing steps 7 and 8 to start a second partition program;
5. after the CPU processor verifies that the upgrade program plaintext is correct through plaintext abstract data in the encrypted abstract data after the decrypted upgrade program plaintext is decrypted, data in a second partition of the CPU is copied to a third partition to be stored and backed up;
6. writing the decrypted and verified upgrade program plaintext into a second partition, and executing steps 7 and 8 to start the second partition program if verification fails;
7. firstly erasing the upgrade program encrypted ciphertext data in the extended FLASH memory, and then erasing the encrypted abstract data in the cfg data of the fifth subarea;
8. and starting and executing a new upgrading program in the second partition app, so that the upgrading program is completed. If the verification error of the encrypted abstract and the encrypted ciphertext of the upgrading program is detected in the boot code execution process or the decryption fails in the decryption operation process, directly executing the steps 7 and 8 to start the second partition program, and informing the remote server that the upgrading program fails.
The relationship among the program compiling computer, the remote server, the upgrading program terminal and the wireless communication network of the embodiment is shown in fig. 11:
1. compiling the binary file of the upgrading program by the compiling computer, and encrypting the upgrading program by the encryption processing device to generate an upgrading encryption ciphertext and encryption abstract data;
2. the upgrade program encrypted ciphertext is sent to a remote server through copying, copying and E-mail, or is written into a handheld upgrade terminal through a USB, RS232 and other wired interfaces;
3. the upgrade program ciphertext is written into the upgrade terminal in two modes, one mode is that the upgrade program ciphertext is sent to the wireless network equipment n through a remote server to be stored, and the other mode is that the upgrade program ciphertext is sent to the wireless network equipment n through a wireless module signal to be stored through the handheld upgrade terminal;
4. when the program is upgraded, the remote server sends an encrypted abstract data request instruction to the encryption processing device, the encryption processing device sends the encrypted abstract data to the remote server through a transmission path and a transmission mode which are independent of an encrypted ciphertext, the remote server sends the encrypted abstract data to the wireless network equipment n, and decryption upgrading operation is executed; the safe transmission mode recommended by the invention is that the encrypted ciphertext is transmitted by copying and copying a file, and the encrypted abstract data is transmitted by adopting an instant network communication instruction mode, so that the encrypted ciphertext, the encrypted ciphertext and the encrypted abstract are not transmitted in the same mode and are not transmitted at the same time.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Furthermore, it should be understood that although the present specification describes embodiments, not every embodiment includes only a single embodiment, and such description is for clarity purposes only, and it is to be understood that all embodiments may be combined as appropriate by one of ordinary skill in the art to form other embodiments as will be apparent to those of skill in the art from the description herein.

Claims (6)

1. A method for carrying on the procedure upgrading to the wireless network apparatus, characterized by, there are field upgrading mode and long-range upgrading mode to carrying on the procedure upgrading to the wireless network apparatus, the field upgrading mode is to upgrade the wireless network apparatus closely by the hand-held upgrading terminal application field, the mode writes the encrypted cipher text of the upgrading procedure into the hand-held upgrading terminal through the wired communication interface of the PC computer, the hand-held upgrading terminal sends the encrypted cipher text of the upgrading procedure to the apparatus to be upgraded in order to upgrade through the wireless signal; the remote upgrading mode is to utilize a remote server to carry out remote upgrading of the equipment through wireless network communication, and the mode sends an upgrading program encryption ciphertext to the equipment to be upgraded through a wireless network channel through the remote server to carry out upgrading; in the two upgrading modes, a handheld upgrading terminal or a remote server which sends an upgrading program encryption ciphertext is uniformly named as upgrading service equipment, and target wireless network equipment to be subjected to program upgrading is named as upgrading terminal equipment;
the upgrading service equipment and the upgrading terminal equipment comprise an embedded CPU processor, an SHA256 Hash encryption chip and a wireless communication module or a wired communication interface;
the embedded CPU processor is used for executing the embedded code program, decrypting the encrypted file and encrypting and decrypting the communication data of the network equipment;
the SHA256 Hash encryption chip utilizes the hardware encryption chip to realize the safe storage and Hash operation of the encryption and decryption keys, improves the speed, efficiency and safety of program and data encryption and decryption processing, and can perform communication data legality authentication;
the wireless communication module or the wired communication interface is used for receiving and transmitting the upgrade program encrypted ciphertext and transmitting and receiving communication instructions and data;
if the internal storage space of the embedded CPU processor is large, except the CPU executing codes, the space also stores the upgrade program encryption ciphertext, the expansion FLASH memory is not selected, otherwise, the embedded CPU processor is externally connected with an expansion FLASH memory and is used for storing the received upgrade program encryption ciphertext;
the SHA256 hash encryption chips comprise one or more ATSHA204 encryption chips, are used for storing 32, 64, 128, 256 or more encryption keys and connecting 2, 4, 8, 16 or more encryption chips to a plurality of IO ports of a CPU processor for communication;
when the upgrade program is encrypted, the security is enhanced:
the encryption program establishes an encryption key pool which comprises a plurality of 32-byte encryption keys, and when upgrading program encryption is carried out on different clients and different wireless network devices, different 16 32-byte encryption keys are selected to encrypt the upgrading program;
performing SHA256 hash operation on the upgrade program plaintext abstract, the client information, the encryption processing device hardware ID and the encryption time information, inputting the hash result as a random number seed into a random number generator, and generating 9 types of random numbers which are different from each other and are used for the upgrade program encryption operation, wherein the 9 types of random numbers are as follows: random completion factor n, random XOR starting sequence number, random XOR shift digit, random parity shift digit, random byte alignment number, random interpolation position, random interpolation content selection, random interpolation number and random encryption repetition number;
when data is encrypted, a 32-byte exclusive-OR key is adopted to carry out exclusive-OR encryption on 32-byte data packets, the length of the exclusive-OR key is 32 bytes and 256 bits long, and the length of the key is the same as that of the data; and each different 32-byte data packet is subjected to exclusive-or encryption after being shifted by adopting a different encryption key;
when data interpolation is carried out, because INS interpolation data inserted each time are obtained by shifting the encryption key, the encryption key cannot be obtained in a traversal mode under the condition that the number of bits of the interpolation key in the encrypted digest data is not determined;
because the XOR encryption processing and the interpolation encryption processing are repeatedly carried out for a plurality of times, the XOR KEY and the interpolation data are randomly shifted by the KEY 1-16 encryption KEYs each time, the interpolation quantity each time is different, and the original data are alternately covered in the repeated encryption process;
when data interpolation is carried out, the number of the inserted INS data is 1-15 INS, but not all 16 INS data, and it is guaranteed that 16 encryption keys can be completely extracted after multiple times of interpolation data extraction and reverse decryption XOR.
2. A method for encrypting an upgrading program of wireless network equipment is characterized in that the procedures of encrypting the upgrading program and upgrading the upgrading program are as follows:
(a) compiling and testing the upgrading program codes at a PC computer and generating a binary upgrading program plaintext file;
(b) encrypting the binary upgrading program plaintext file by adopting an encryption step to generate an upgrading program encrypted ciphertext and encrypted abstract data;
(c) transmitting the upgrade program encrypted ciphertext to an equipment manager;
(d) the equipment management personnel sends the upgrading program encrypted ciphertext to the upgrading terminal equipment for storage by using a field upgrading mode or a remote upgrading mode, and verifies the upgrading program encrypted ciphertext;
(e) the remote server sends an upgrading decryption instruction and the encrypted abstract data to the upgrading terminal equipment through a remote wireless network;
(f) after the upgrading terminal equipment receives the upgrading decryption instruction and the encrypted abstract data, decrypting the encrypted ciphertext of the stored upgrading program;
(g) after the encrypted ciphertext of the upgrading program is decrypted, the plaintext of the upgrading program is verified;
(h) after the plaintext is verified correctly, the decrypted program plaintext can be written into the code execution area of the embedded CPU as an upgrading program code, and a new upgrading program is started to be executed; the decryption operation is the reverse of the encryption operation; in order to ensure the reliability of decryption, verification and code writing of the program upgrading program into the execution area, the upgrading terminal device divides A, B the code execution area into 2 storage areas which are used for alternately storing the currently executed original program code and the new upgrading program code;
when the upgrade program is encrypted, the security is enhanced:
the encryption program establishes an encryption key pool which comprises a plurality of 32-byte encryption keys, and when upgrading program encryption is carried out on different clients and different wireless network devices, different 16 32-byte encryption keys are selected to encrypt the upgrading program;
performing SHA256 hash operation on the upgrade program plaintext abstract, the client information, the encryption processing device hardware ID and the encryption time information, inputting the hash result as a random number seed into a random number generator, and generating 9 types of random numbers which are different from each other and are used for the upgrade program encryption operation, wherein the 9 types of random numbers are as follows: random completion factor n, random XOR starting sequence number, random XOR shift digit, random parity shift digit, random byte alignment number, random interpolation position, random interpolation content selection, random interpolation number and random encryption repetition number;
when data is encrypted, a 32-byte exclusive-OR key is adopted to carry out exclusive-OR encryption on 32-byte data packets, the length of the exclusive-OR key is 32 bytes and 256 bits long, and the length of the key is the same as that of the data; and each different 32-byte data packet is subjected to exclusive-or encryption after being shifted by adopting a different encryption key;
when data interpolation is carried out, because INS interpolation data inserted each time are obtained by shifting the encryption key, the encryption key cannot be obtained in a traversal mode under the condition that the number of bits of the interpolation key in the encrypted digest data is not determined;
because the XOR encryption processing and the interpolation encryption processing are repeatedly carried out for a plurality of times, the XOR KEY and the interpolation data are randomly shifted by the KEY 1-16 encryption KEYs each time, the interpolation quantity each time is different, and the original data are alternately covered in the repeated encryption process;
when data interpolation is carried out, the number of the inserted INS data is 1-15 INS, but not all 16 INS data, and it is guaranteed that 16 encryption keys can be completely extracted after multiple times of interpolation data extraction and reverse decryption XOR.
3. The method of claim 2, wherein the data block of the encrypted digest data comprises a padding digest, an exclusive-or digest, an identity digest, an interpolation digest, a repetition digest and a plaintext digest, and the data block is critical data for decryption by the upgrade program and is transmitted to the wireless network device through a secure authenticated wireless network channel.
4. The method for encrypting the upgrading program of the wireless network device as claimed in claim 2, wherein the KEY matching extraction step based on SHA256 operation rule design of the encryption chip is as follows:
(A) the embedded CPU processor obtains 32-byte DATA DATA to be decrypted and matched;
(B) the embedded CPU processor sends an instruction A to the encryption chip, a random number TMP is generated inside the encryption chip, and a temporary Hash value TMP _ SHA is generated by using SHA256 hardware arithmetic logic;
(C) the embedded CPU processor reads the temporary Hash value TMP _ SHA and carries out SHA256 operation with the matched DATA DATA to be decrypted to generate a new Hash value DATA _ SHA;
(D) the embedded CPU processor sends an instruction B to the encryption chip, and the encryption chip utilizes SHA256 hardware arithmetic logic to calculate TMP _ SHA and KEY1 to generate a KEY1_ SHA which is output to the CPU;
(E) the embedded CPU processes and compares DATA _ SHA and KEY1_ SHA, and according to the design principle inside the encryption chip, as long as DATA _ SHA and KEY1_ SHA are the same, KEY1 and DATA are determined to be the same, namely the DATA is matched as a KEY1 KEY in the encryption chip;
(F) if the DATA _ SHA and the KEY1_ SHA are not the same, the loop step (D) performs hash operation on KEY2, matches KEY2_ SHA and DATA _ SHA, and matches all 16 KEYs in the encryption chip, if a proper KEY is matched, the DATA is a KEYn, and if not, the DATA is not an encryption KEY.
5. The method for encrypting the upgrading program of the wireless network device according to claim 2, wherein the steps of the upgrading terminal device encrypting digest data request and decrypting are as follows:
firstly, upgrading terminal equipment to send a request for encrypting summary data to a wireless network remote server;
secondly, the wireless network remote server calculates the hash value DIGEST _ DATA _ SHA of the encrypted abstract DATA and the ID of the upgrading terminal equipment by using the hash algorithm of the SHA256 hash encryption chip;
thirdly, the wireless network remote server calculates a USER temporary number USER _ ID _ TMP containing a random number by using the USER number USER _ ID of the upgrading terminal equipment and the random number TMP through a Hash algorithm of an SHA256 Hash encryption chip;
fourthly, the remote wireless network remote server calculates the USER temporary serial number USER _ ID _ TMP and the 2 random encryption keys KEya and KEYb into two temporary keys KEya _ SHA and KEYb _ SHA of 32 bytes by using a Hash algorithm of an SHA256 Hash encryption chip;
the wireless network remote server performs exclusive or encryption processing on the encrypted DIGEST DATA DIGEST _ DATA by using temporary keys KEYa _ SHA and KEYb _ SHA to generate NEW encrypted DIGEST DATA DIGEST _ DATA _ NEW;
(VI) the wireless network remote server sends the USER temporary number USER _ ID _ TMP, the encrypted DIGEST DATA hash value DIGEST _ DATA _ SHA and the NEW encrypted DIGEST DATA DIGEST _ DATA _ NEW to the upgrading terminal equipment;
(seventh) after the upgrade terminal device receives the USER temporary number USER _ ID _ TMP, the hash value of the encrypted DIGEST DATA DIGEST _ DATA _ SHA, and the NEW encrypted DIGEST DATA DIGEST _ DATA _ NEW, the temporary decrypted DATA KEY1_ SHA to KEY16_ SHA are obtained by using the hash algorithm of the SHA256 hash encryption chip through all KEYs KEY 1-16 and USER _ ID _ TMP in the encryption chip inside the upgrade terminal device, and the temporary decrypted DATA KEY1_ SHA to KEY16_ SHA are traversed to extract two decrypted DATA KEY _ SHA and KEY _ SHA;
(eighthly), carrying out XOR processing on DIGEST _ DATA _ NEW by KEYx _ SHA and KEYy _ SHA to restore encrypted DIGEST DATA DIGEST _ DATA _ X;
(ninthly) calculating a hash value DIGEST _ DATA _ X of the DATA DIGEST _ DATA _ X and the upgrading terminal device ID by using a hash algorithm of the SHA256 hash encryption chip;
and (ten) comparing the hash values of the encrypted DIGEST DATA DIGEST _ DATA _ SHA and DIGEST _ DATA _ SHA _ X transmitted from the remote server, if the hash values of the encrypted DIGEST DATA DIGEST _ DATA _ SHA and DIGEST _ DATA _ SHA _ X are equal, indicating that the restored encrypted DIGEST DATA DIGEST _ DATA _ X and the original encrypted DIGEST DATA DIGEST _ DATA are the same, namely, decrypting the encrypted ciphertext of the upgrading program by using the encrypted DIGEST DATA, and if the hash values of the encrypted DIGEST DATA DIGEST _ DATA _ SHA and the original encrypted DIGEST DATA are different, repeating the steps (seven) to (ten) until the original encrypted DIGEST DATA is decrypted.
6. A method for encrypting communication data of wireless network equipment is characterized in that the encryption method comprises the following steps:
(1) data packet preprocessing: grouping upgrade program codes according to 32 bytes, utilizing the upgrade program plaintext abstract to perform data interpolation and supplement on data which is less than 32 bytes, wherein the interpolation and supplement method is to perform data interpolation and supplement on the 1 st and 2 nd bytes of the plaintext abstract multiplied by a supplement factor n% of the plaintext length as a supplement position, the 2 nd byte of the plaintext abstract multiplied by a supplement data 1, perform data interpolation and supplement on the 2 nd byte of the plaintext abstract multiplied by a supplement factor n% as a supplement position, the 3rd byte of the plaintext abstract multiplied by a supplement data 2 as a supplement position, perform data interpolation and supplement on the 3rd byte of the plaintext abstract, sequentially and circularly perform interpolation and supplement to complete 32-byte grouping processing, record 8-bit supplement factor n and 8-bit interpolation and supplement number as 16-bit supplement abstract, record one and only 1 supplement abstract in the whole upgrade program data encryption process, and fill the supplement abstract by 0x00 for the upgrade program which does not need interpolation and supplement;
(2) data exclusive-or encryption processing: selecting an initial KEY KEYn according to a 4-bit random XOR initial sequence number by using encryption KEYs KEY 1-16 according to sequence numbers from small to large, calculating a 4-bit random XOR shift digit multiplied by an XOR encryption processing time as a shift digit m, circularly shifting the KEY KEYn to the right according to the shift digit m, and then performing XOR encryption processing on the first 32-byte grouped data; and then carrying out exclusive-or encryption processing on the second 32-byte grouped data after carrying out right-hand cyclic shift on KEYn +1, carrying out exclusive-or encryption processing on each 32-byte grouped data after cyclically using KEY 1-16 in sequence, carrying out exclusive-or encryption processing on each 32-byte grouped data after completing one round of 16 encryption KEYs, still carrying out exclusive-or encryption processing according to the number of 4-bit random exclusive-or shift bits multiplied by the number of exclusive-or encryption processing times when carrying out cyclic exclusive-or processing again, carrying out exclusive-or encryption processing on each KEY KEY after circularly shifting each KEY right-hand according to the number of shift bits m, recording a 4-bit random exclusive-or starting sequence number and 8-bit random exclusive-or digest with the number of 4-bit random exclusive-or shift bits, recording one exclusive-or digest when carrying out exclusive-or encryption processing once, recording a plurality of exclusive-or digests when selecting the 4-bit random exclusive-or shift bits, selecting 3-or, 5, or, 7, 11 and 13 prime numbers are used as the XOR shift digit number, and because the prime numbers can ensure that the XOR values obtained after each shift are different during cyclic shift, the encryption safety is improved;
(3) and (3) interpolation data processing: after the XOR encryption is finished, assigning a 4-bit random XOR shift digit to a 4-bit interpolation KEY shift digit, circularly shifting each encryption KEY KEY participating in the XOR encryption recorded in the step (2) to the left by using the 4-bit interpolation KEY shift digit, generating INS 1-16 interpolation data for subsequent interpolation processing, and filling the corresponding INS of the KEY not participating in the XOR encryption to be 0;
(4) data equivalence preprocessing: the data obtained after the XOR encryption processing of the encrypted data has a certain probability and the same value as INS 1-16 interpolation data, and the decryption can be wrong when the subsequent interpolation processing is carried out, so the step carries out the data same value preprocessing, if a certain 32-byte data block and INS 1-16 interpolation data are the same value through traversing the whole encrypted data, the 32-byte data block is circularly moved to the left according to the random same value shift digit, so that the data body is different from 16 interpolation data, the initial position of 27-bit same value data and the 5-bit random same value shift digit are recorded as the same value abstract, a plurality of same value data bodies may exist in the same value preprocessing process every time, or the same value data bodies may not exist, 0x0000 filling record is adopted for the case that the same value data bodies do not exist, and 1-n same value abstracts are ensured to be recorded in the same value preprocessing process every time;
(5) data interpolation encryption processing: after the same value processing is carried out, inserting INS 1-16 interpolation data into the encrypted data randomly, wherein the inserting position is a random position aligned with 1-256 bytes randomly in all data spaces, the inserting number is the number of the KEYs participating in the exclusive-or encryption, the inserted data content is selected from 16 INS 1-16 interpolation data randomly, the INS with the INS data value of 0 is not inserted, the same INS interpolation data is ensured not to be inserted twice, and the probability of obtaining a secret KEY by adopting a matching mode is avoided;
(6) and data repeated encryption processing: after the KEY KEY is inserted once, the steps (2) to (E) can be repeated
(5) Performing next round of encryption processing, wherein the repeated encryption times are determined according to the 16-bit random repetition times, the size of the encrypted upgrade program ciphertext is controlled to be a predefined value by adjusting the 16-bit random repetition times and the random interpolation number in the step (5) of interpolation encryption processing, the 16-bit random encryption repetition times are recorded as 16-bit repeated digests, and one and only 1 repeated digest are recorded in the whole upgrade program data encryption process;
and (3) encrypting binary data of the upgrading program with high safety through the steps (1) to (6), generating two data blocks after the upgrading program is encrypted, wherein one data block is encrypted ciphertext data of the upgrading program, and the other data block is encrypted abstract data, and the two encrypted data blocks are sent to an upgrading equipment terminal through different ways to decrypt the upgrading program.
CN201710732946.0A 2017-08-22 2017-08-22 Method for encrypting wireless network equipment upgrading program and communication data Active CN109429222B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710732946.0A CN109429222B (en) 2017-08-22 2017-08-22 Method for encrypting wireless network equipment upgrading program and communication data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710732946.0A CN109429222B (en) 2017-08-22 2017-08-22 Method for encrypting wireless network equipment upgrading program and communication data

Publications (2)

Publication Number Publication Date
CN109429222A CN109429222A (en) 2019-03-05
CN109429222B true CN109429222B (en) 2022-06-07

Family

ID=65500386

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710732946.0A Active CN109429222B (en) 2017-08-22 2017-08-22 Method for encrypting wireless network equipment upgrading program and communication data

Country Status (1)

Country Link
CN (1) CN109429222B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194467A (en) * 2018-06-29 2019-01-11 北京东方英卡数字信息技术有限公司 A kind of safe transmission method and system of encryption data
CN110210210A (en) * 2019-05-27 2019-09-06 北京中电华大电子设计有限责任公司 A kind of the logical security design method and physical security design structure of terminal device
CN110176986A (en) * 2019-05-30 2019-08-27 杭州奇治信息技术股份有限公司 A kind of data ciphering method of multi-enciphering, device and mobile terminal
CN110378105B (en) * 2019-07-02 2021-06-04 广州小鹏汽车科技有限公司 Security upgrading method, system, server and vehicle-mounted terminal
CN110475245B (en) * 2019-07-15 2022-05-17 武汉阿迪克电子股份有限公司 Wireless encryption upgrading method for LoRaWAN terminal
CN110912690A (en) * 2019-11-01 2020-03-24 中国第一汽车股份有限公司 Data encryption and decryption method, vehicle and storage medium
CN111143893B (en) * 2019-12-17 2023-04-07 北京宏思电子技术有限责任公司 Secure implementation method and device for Hash grouping calculation
CN111654466B (en) * 2020-04-25 2022-03-01 中山佳维电子有限公司 Data encryption method for electronic valuation balance
CN112114843A (en) * 2020-07-31 2020-12-22 深圳市有方科技股份有限公司 Program upgrading system and method
CN111953415A (en) * 2020-08-13 2020-11-17 中达安(福建)科技有限公司 Optical communication data encryption and decryption method and device
CN111917542A (en) * 2020-08-13 2020-11-10 中达安(福建)科技有限公司 Method and device for receiving Ethernet data and encrypting space optical data
CN112118091B (en) * 2020-09-22 2021-04-23 郑州嘉晨电器有限公司 Data encryption bus self-adaptive industrial equipment remote system upgrading method
CN112153046B (en) * 2020-09-24 2023-04-07 施耐德电气(中国)有限公司 Data encryption and data decryption method, related equipment and storage medium
CN112506543B (en) * 2020-12-07 2023-07-14 天津津航计算技术研究所 Multi-device software upgrading management method and system
CN112738111A (en) * 2020-12-31 2021-04-30 西安航普电子有限责任公司 Automatic upgrading method for embedded terminal
CN114513780A (en) * 2022-04-15 2022-05-17 广州市伍麦信息科技有限公司 Wireless communication network encryption system based on random key
CN114996725B (en) * 2022-05-06 2023-07-28 北京中科昊芯科技有限公司 Method for protecting development program and processor
CN116305221B (en) * 2023-05-18 2023-08-29 深圳曦华科技有限公司 Encryption method and related device of image processing chip system
CN117632199A (en) * 2024-01-26 2024-03-01 荣耀终端有限公司 Program upgrading method, electronic device, chip system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5425103A (en) * 1994-03-14 1995-06-13 Shaw; William Y. Variable-key cryptography system
CN1425987A (en) * 2001-12-10 2003-06-25 中国科学院软件研究所 Encrypting method for reinforcing disordered block cipher
CN101262339A (en) * 2001-09-27 2008-09-10 松下电器产业株式会社 An encryption device, a decrypting device, a secret key generation device,a copyright protection system and a cipher communication device
CN106789056A (en) * 2017-02-03 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of hardware encryption system and method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100574367C (en) * 2007-07-18 2009-12-23 中国联合网络通信集团有限公司 Method for updating set-top box software and upgrade-system
US9118689B1 (en) * 2012-04-13 2015-08-25 Zscaler, Inc. Archiving systems and methods for cloud based systems
CN104282098B (en) * 2013-07-08 2016-09-07 航天信息股份有限公司 The making out an invoice and copy tax process upgrade method of a kind of tax-controlling device
CN103546576B (en) * 2013-10-31 2017-08-11 中安消技术有限公司 A kind of embedded device remote automatic upgrading method and system
CN106778285A (en) * 2016-12-09 2017-05-31 美的智慧家居科技有限公司 For method, the device upgraded to equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5425103A (en) * 1994-03-14 1995-06-13 Shaw; William Y. Variable-key cryptography system
CN101262339A (en) * 2001-09-27 2008-09-10 松下电器产业株式会社 An encryption device, a decrypting device, a secret key generation device,a copyright protection system and a cipher communication device
CN1425987A (en) * 2001-12-10 2003-06-25 中国科学院软件研究所 Encrypting method for reinforcing disordered block cipher
CN106789056A (en) * 2017-02-03 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of hardware encryption system and method

Also Published As

Publication number Publication date
CN109429222A (en) 2019-03-05

Similar Documents

Publication Publication Date Title
CN109429222B (en) Method for encrypting wireless network equipment upgrading program and communication data
CN110378139B (en) Data key protection method, system, electronic equipment and storage medium
CN110519260B (en) Information processing method and information processing device
CA2919106C (en) Media client device authentication using hardware root of trust
CN109104724B (en) A kind of data ciphering method and device for device upgrade
CN105450620A (en) Information processing method and device
TW201807615A (en) Device programming with system generation
CN104468089A (en) Data protecting apparatus and method thereof
CN113114654B (en) Terminal equipment access security authentication method, device and system
CN104732159A (en) File processing method and file processing device
CN103853943A (en) Program protection method and device
CN110855667A (en) Block chain encryption method, device and system
CN109194467A (en) A kind of safe transmission method and system of encryption data
US11341217B1 (en) Enhancing obfuscation of digital content through use of linear error correction codes
CN112115461B (en) Equipment authentication method and device, computer equipment and storage medium
CN112383522B (en) Function parameter data transmission encryption method, system, device and readable storage medium
CN116455572B (en) Data encryption method, device and equipment
TWI488478B (en) Techniques for performing symmetric cryptography
CN109905395B (en) Method and related device for verifying credibility of client
US10057054B2 (en) Method and system for remotely keyed encrypting/decrypting data with prior checking a token
CN116781265A (en) Data encryption method and device
CN109150813A (en) A kind of verification method and device of equipment
CN111368345A (en) Method, device, equipment and computer readable storage medium for decrypting encrypted program
CN104392153A (en) Software protection method and system
CN113656792B (en) Electronic detonator password verification method and device and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200109

Address after: 361001 Room 601, No. 6, shiting Road, Siming District, Xiamen City, Fujian Province

Applicant after: Ye Yirong

Address before: 243102 Taibai Town Industrial Concentration Zone, Dangtu County, Ma'anshan City, Anhui Province

Applicant before: Ma Shan Yang Communication Technology Co. Ltd.

GR01 Patent grant
GR01 Patent grant